Waraxe IT Security Portal
Login or Register
November 23, 2024
Menu
Home
Logout
Discussions
Forums
Members List
IRC chat
Tools
Base64 coder
MD5 hash
CRC32 checksum
ROT13 coder
SHA-1 hash
URL-decoder
Sql Char Encoder
Affiliates
y3dips ITsec
Md5 Cracker
User Manuals
AlbumNow
Content
Content
Sections
FAQ
Top
Info
Feedback
Recommend Us
Search
Journal
Your Account
User Info
Welcome, Anonymous
Nickname
Password
(Register)

Membership:
Latest: MichaelSnaRe
New Today: 0
New Yesterday: 0
Overall: 9144

People Online:
Visitors: 108
Members: 0
Total: 108
Full disclosure
APPLE-SA-11-19-2024-5 macOS Sequoia 15.1.1
Local Privilege Escalations in needrestart
APPLE-SA-11-19-2024-4 iOS 17.7.2 and iPadOS 17.7.2
APPLE-SA-11-19-2024-3 iOS 18.1.1 and iPadOS 18.1.1
APPLE-SA-11-19-2024-2 visionOS 2.1.1
APPLE-SA-11-19-2024-1 Safari 18.1.1
Reflected XSS - fronsetiav1.1
XXE OOB - fronsetiav1.1
St. Poelten UAS | Path Traversal in Korenix JetPort 5601
St. Poelten UAS | Multiple Stored Cross-Site Scripting in SEH utnserver Pro
Apple web content filter bypass allows unrestricted access to blocked content (macOS/iOS/iPadOS/visionO S/watchOS)
SEC Consult SA-20241112-0 :: Multiple vulnerabilities in Siemens Energy Omnivise T3000 (CVE-2024-38876, CVE-2024-38877, CVE-2024-38878, CVE-2024-38879)
Security issue in the TX Text Control .NET Server for ASP.NET.
SEC Consult SA-20241107-0 :: Multiple Vulnerabilities in HASOMED Elefant and Elefant Software Updater
Unsafe eval() in TestRail CLI
Log in Register Forum FAQ Memberlist Search
IT Security and Insecurity Portal

www.waraxe.us Forum Index -> PhpBB -> 2 new Vulnerabilities 2.0.17 Goto page 1, 2Next
Post new topicReply to topic View previous topic :: View next topic
2 new Vulnerabilities 2.0.17
PostPosted: Mon Oct 31, 2005 8:53 pm Reply with quote
WaterBird
Active user
Active user
Joined: May 16, 2005
Posts: 37




PHPBB Multiple Unspecified Vulnerabilities
2005-10-31
http://www.securityfocus.com/bid/15246

PHPBB Global Variable Deregistration Bypass Vulnerabilities
2005-10-31
http://www.securityfocus.com/bid/15243
View user's profile Send private message
PostPosted: Mon Oct 31, 2005 11:21 pm Reply with quote
chapinhack
Beginner
Beginner
Joined: Nov 01, 2005
Posts: 1




how to operate this bug? some examples?
View user's profile Send private message MSN Messenger
PostPosted: Tue Nov 01, 2005 1:00 am Reply with quote
shai-tan
Valuable expert
Valuable expert
Joined: Feb 22, 2005
Posts: 477




Read it properly chapinhack


Quote:
phpBB is prone to multiple unspecified vulnerabilities. Some of these issues result from insufficient sanitization of user-supplied data, however, the causes and impacts of other issues were not specified.

phpBB 2.0.17 and prior versions are affected by these issues.

Due to a lack of information, further details cannot be provided at the moment. It is possible that some of these issues were reported prior to the release of this record. This BID will be updated when more information becomes available.
Wink

_________________
Shai-tan

?In short: just say NO TO DRUGS, and maybe you won?t end up like the Hurd people.? -- Linus Torvalds
View user's profile Send private message
PostPosted: Tue Nov 01, 2005 6:34 am Reply with quote
g30rg3_x
Active user
Active user
Joined: Jan 23, 2005
Posts: 31
Location: OutSide Of The PE




i think most of this "fixes" just make for improvemmed...

as now i just see some and they are just for performarce, i didn't see at all because it is a large list...

but if i found one, i would make a full description...

grettings from mexico


Last edited by g30rg3_x on Tue Nov 01, 2005 3:45 pm; edited 1 time in total
View user's profile Send private message Send e-mail Visit poster's website MSN Messenger
PostPosted: Tue Nov 01, 2005 7:03 am Reply with quote
shai-tan
Valuable expert
Valuable expert
Joined: Feb 22, 2005
Posts: 477




Not just that but there was a way to by pass the register globals disabling in the phpBB script.

_________________
Shai-tan

?In short: just say NO TO DRUGS, and maybe you won?t end up like the Hurd people.? -- Linus Torvalds
View user's profile Send private message
PostPosted: Tue Nov 01, 2005 3:43 pm Reply with quote
g30rg3_x
Active user
Active user
Joined: Jan 23, 2005
Posts: 31
Location: OutSide Of The PE




yeah but is still hard for bypass register_globals

but we can make a just little code for PoC...

grettings shai-tan
View user's profile Send private message Send e-mail Visit poster's website MSN Messenger
PostPosted: Tue Nov 01, 2005 4:49 pm Reply with quote
shai-tan
Valuable expert
Valuable expert
Joined: Feb 22, 2005
Posts: 477




Not as hard as you might think.

Quote:
Bypass Vulnerabilities

----------------------



[1] In PHP5 <= 5.0.5 it is possible to register f.e. the global

variable $foobar by supplying a GET/POST/COOKIE variable

with the name 'foobar' but also by supplying a GPC variable

called 'GLOBALS[foobar]'. If the variable is supplied in

that way, the code above will not try to unset $foobar, but

$GLOBALS, which completely bypasses the protection.



[2] When the session extension is not started by a call to

session_start(), PHP does not know about the variables

$_SESSION or $HTTP_SESSION_VARS, which means, it is possible

to fill them with any value if register_globals is turned on.

Combined with the fact (that was even documented in the phpBB

code), that array_merge() will fail in PHP5, when at least

one of the parameters is not an array, it is possible for an

attacker to simply set HTTP_SESSION_VARS to a string and let

the complete protection fail, because $input ends up empty.



[3] When register_long_array is turned off PHP does not know

anymore about all the HTTP_* variables. This means they can

be filled with anything that is completely unrelated to the

existing global variables. It is obvious that the protection

cannot work, when this configuration is choosen.



Additonally to the 3 possible ways to bypass the globals

deregistration code, several not properly initalised variables

were disclosed to the vendor, that can even lead to remote code

execution.


And once you have done so this is the options you can look at.

Quote:

Not properly initialised variables

----------------------------------



[1] Within usercp_register.php the variable 'error_msg' is not

properly initialised and can therefore be used to inject

arbitrary HTML code



[2] Within login.php the variable 'forward_page' is not properly

initialised and can be used to inject arbitrary HTML code



[3] Within search.php the variable 'list_cat' is not properly

initialised and can be used to inject arbitrary HTML



[4] Within usercp_register.php the variable 'signature_bbcode_uid'

is not properly initialised and can be used for SQL injection

of arbitrary 'field=xxx' statements into queries operating

on the user table, when magic_quotes_gpc is turned off.



[5] The same variable [4] can be used to inject f.e. the 'e'

modifier into the first parameter of a preg_replace()

statement, which means, that the second parameter is

evaluated as PHP code. Because the second parameter is

entirely filled with the user supplied signature, it is

possible to execute any PHP code. This can be exploited,

no matter if magic_quotes_gpc is turned on or off, just

2 different code paths need to be triggered.


Glad to see you again g30rg3_x.

_________________
Shai-tan

?In short: just say NO TO DRUGS, and maybe you won?t end up like the Hurd people.? -- Linus Torvalds
View user's profile Send private message
PostPosted: Tue Nov 01, 2005 7:49 pm Reply with quote
Tomanas
Active user
Active user
Joined: Jan 30, 2005
Posts: 29




ok, i read whole document and i still don't know how to exploit that bug Wink
View user's profile Send private message
PostPosted: Wed Nov 02, 2005 1:15 am Reply with quote
g30rg3_x
Active user
Active user
Joined: Jan 23, 2005
Posts: 31
Location: OutSide Of The PE




Shocked

Thank you shai-tan...
with this i think i can make a little PoC

grettings


Last edited by g30rg3_x on Thu Nov 03, 2005 2:50 pm; edited 1 time in total
View user's profile Send private message Send e-mail Visit poster's website MSN Messenger
PostPosted: Wed Nov 02, 2005 2:17 am Reply with quote
shai-tan
Valuable expert
Valuable expert
Joined: Feb 22, 2005
Posts: 477




http://www.hardened-php.net/advisory_172005.75.html



No problem.

_________________
Shai-tan

?In short: just say NO TO DRUGS, and maybe you won?t end up like the Hurd people.? -- Linus Torvalds
View user's profile Send private message
PostPosted: Wed Nov 02, 2005 10:44 pm Reply with quote
WaterBird
Active user
Active user
Joined: May 16, 2005
Posts: 37




as always waiting for an exploit Wink
View user's profile Send private message
PostPosted: Thu Nov 03, 2005 12:48 am Reply with quote
shai-tan
Valuable expert
Valuable expert
Joined: Feb 22, 2005
Posts: 477




Best and most satisfying is learning how to make them your-self. And then making them Razz


Shai-tan

_________________
Shai-tan

?In short: just say NO TO DRUGS, and maybe you won?t end up like the Hurd people.? -- Linus Torvalds
View user's profile Send private message
PostPosted: Thu Nov 03, 2005 2:48 am Reply with quote
WaterBird
Active user
Active user
Joined: May 16, 2005
Posts: 37




shai-tan wrote:
Best and most satisfying is learning how to make them your-self. And then making them Razz


Shai-tan



Don't have mutch time to do that Razz Work etc :} Maybe some day :]
View user's profile Send private message
PostPosted: Thu Nov 03, 2005 3:07 am Reply with quote
shai-tan
Valuable expert
Valuable expert
Joined: Feb 22, 2005
Posts: 477




lolz it seems time is everones reason! lolz

_________________
Shai-tan

?In short: just say NO TO DRUGS, and maybe you won?t end up like the Hurd people.? -- Linus Torvalds
View user's profile Send private message
PostPosted: Thu Nov 03, 2005 2:49 pm Reply with quote
g30rg3_x
Active user
Active user
Joined: Jan 23, 2005
Posts: 31
Location: OutSide Of The PE




like everybody i dont have really much time...

but i'm researching for exploit or well know in IT Security as Proof-Of-Concept, obviously i dont have enought time to do that rapidly...
so, like shai-tan says its very satisfying learning how to make by your-seld, than just wait for a new exploit/PoC and just used for be just another "deface kiddie or script kiddie"...

grettings from mexico shai-tan && waterbird
View user's profile Send private message Send e-mail Visit poster's website MSN Messenger
2 new Vulnerabilities 2.0.17
www.waraxe.us Forum Index -> PhpBB
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
All times are GMT
Page 1 of 2
Goto page 1, 2Next
Post new topicReply to topic


Powered by phpBB © 2001-2008 phpBB Group



Space Raider game for Android, free download - Space Raider gameplay video - Zone Raider mobile games
All logos and trademarks in this site are property of their respective owner. The comments and posts are property of their posters, all the rest (c) 2004-2024 Janek Vind "waraxe"
Page Generation: 0.046 Seconds